Skip to content
This repository has been archived by the owner. It is now read-only.

Upgrade openssl to 1.0.1c #3999

Merged
merged 12 commits into from Sep 12, 2012

Conversation

Projects
None yet
3 participants
@piscisaureus
Copy link
Member

piscisaureus commented Sep 11, 2012

Works on windows and linux.

TODO:

  • Check all floating patches. There are no new ones - all of these were in node already, I just cut them loose and turned them into separate commits. @bnoordhuis, can you help here?
  • Test on arm (@TooTallNate ?)
  • Test on solaris and mac
@piscisaureus

This comment has been minimized.

Copy link
Member Author

piscisaureus commented Sep 11, 2012

FYI: "handshake cut-through" is also known as False Start.

@TooTallNate

This comment has been minimized.

Copy link

TooTallNate commented Sep 12, 2012

Build fails on arm:

  arm-unknown-linux-gnueabi-gcc '-D_LARGEFILE_SOURCE' '-D_FILE_OFFSET_BITS=64' '-DL_ENDIAN' '-DOPENSSL_THREADS' '-DPURIFY' '-D_REENTRANT' '-DOPENSSL_NO_DGRAM' '-DOPENSSL_NO_DTLS1' '-DOPENSSL_NO_SCTP' '-DOPENSSL_NO_SOCK' '-DOPENSSL_NO_GOST' '-DOPENSSL_NO_HW_PADLOCK' '-DOPENSSL_NO_TTY' '-DENGINESDIR="/dev/null"' '-DOPENSSLDIR="/etc/ssl"' '-DTERMIOS' -I../deps/openssl -I../deps/openssl/openssl -I../deps/openssl/openssl/crypto -I../deps/openssl/openssl/crypto/asn1 -I../deps/openssl/openssl/crypto/evp -I../deps/openssl/openssl/crypto/md2 -I../deps/openssl/openssl/crypto/modes -I../deps/openssl/openssl/crypto/store -I../deps/openssl/openssl/include -I../deps/openssl/config/android  -Wall -Wextra -Wno-unused-parameter -pthread -O2 -fno-strict-aliasing -fno-tree-vrp  -MMD -MF /Users/nrajlich/node/out/Release/.deps//Users/nrajlich/node/out/Release/obj.target/openssl/deps/openssl/openssl/crypto/ec/ecp_nistp224.o.d.raw  -c -o /Users/nrajlich/node/out/Release/obj.target/openssl/deps/openssl/openssl/crypto/ec/ecp_nistp224.o ../deps/openssl/openssl/crypto/ec/ecp_nistp224.c
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c:43:3: error: unknown type name '__uint128_t'
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c: In function 'widefelem_diff':
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c:422:2: warning: left shift count >= width of type [enabled by default]
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c:422:33: warning: initializer element is not a constant expression [enabled by default]
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c:423:2: warning: left shift count >= width of type [enabled by default]
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c:424:3: warning: left shift count >= width of type [enabled by default]
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c:423:36: warning: initializer element is not a constant expression [enabled by default]
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c:425:2: warning: left shift count >= width of type [enabled by default]
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c:426:3: warning: left shift count >= width of type [enabled by default]
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c:426:3: warning: left shift count >= width of type [enabled by default]
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c:425:40: warning: initializer element is not a constant expression [enabled by default]
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c: In function 'felem_diff_128_64':
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c:450:2: warning: left shift count >= width of type [enabled by default]
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c:450:34: warning: initializer element is not a constant expression [enabled by default]
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c:452:2: warning: left shift count >= width of type [enabled by default]
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c:452:34: warning: initializer element is not a constant expression [enabled by default]
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c:454:2: warning: left shift count >= width of type [enabled by default]
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c:455:3: warning: left shift count >= width of type [enabled by default]
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c:454:37: warning: initializer element is not a constant expression [enabled by default]
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c: In function 'felem_reduce':
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c:527:2: warning: left shift count >= width of type [enabled by default]
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c:527:36: warning: initializer element is not a constant expression [enabled by default]
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c:529:2: warning: left shift count >= width of type [enabled by default]
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c:530:3: warning: left shift count >= width of type [enabled by default]
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c:529:36: warning: initializer element is not a constant expression [enabled by default]
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c:531:2: warning: left shift count >= width of type [enabled by default]
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c:532:3: warning: left shift count >= width of type [enabled by default]
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c:532:3: warning: left shift count >= width of type [enabled by default]
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c:531:39: warning: initializer element is not a constant expression [enabled by default]
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c:544:2: warning: left shift count >= width of type [enabled by default]
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c:548:2: warning: left shift count >= width of type [enabled by default]
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c:552:2: warning: left shift count >= width of type [enabled by default]
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c:556:2: warning: right shift count >= width of type [enabled by default]
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c:559:2: warning: right shift count >= width of type [enabled by default]
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c:567:2: warning: left shift count >= width of type [enabled by default]
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c:571:2: warning: right shift count >= width of type [enabled by default]
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c:574:2: warning: right shift count >= width of type [enabled by default]
../deps/openssl/openssl/crypto/ec/ecp_nistp224.c:577:2: warning: right shift count >= width of type [enabled by default]
make[1]: *** [/Users/nrajlich/node/out/Release/obj.target/openssl/deps/openssl/openssl/crypto/ec/ecp_nistp224.o] Error 1
make: *** [node] Error 2
@TooTallNate

This comment has been minimized.

Copy link

TooTallNate commented Sep 12, 2012

OS X builds correctly (haven't run tests yet).

@TooTallNate

This comment has been minimized.

Copy link

TooTallNate commented Sep 12, 2012

Builds correctly for arm-linux (also haven't run tests yet).

piscisaureus and others added some commits Sep 11, 2012

openssl: reduce memory consumption
SSL records may be as large as 16K, but are typically < 2K.  In
addition, a historic bug in Windows allowed records to be as large
32K.  OpenSSL statically allocates read and write buffers (34K and
18K respectively) used for processing records.

With this patch, OpenSSL statically allocates 4K + 4K buffers, with
the option of dynamically growing buffers to 34K + 4K, which is a
saving of 44K per connection for the typical case.

This patch is taken from the Android Open Source Project.
openssl: support handshake cut-through
Enables SSL3+ clients to send application data immediately following the
Finished message even when negotiating full-handshakes.  With this patch,
clients can negotiate SSL connections in 1-RTT even when performing
full-handshakes.

This patch is taken from the Android Open Source Project.
openssl: apply upstream sha1-armv4-large.pl patch
This is a back-port of r22768: sha1-armv4-large.pl: comply with ABI.
openssl: backward compatibility after x509 hash function change
There are many symbolic links under /etc/ssl/certs created by using hash of
the pem certificates in order for OpenSSL to find those certificate.
Openssl has a tool to help you create hash symbolic links. (See tools/c_rehash)
However the new openssl changed the hash algorithm, Unless you compile/install
the latest openssl library and re-create all related symbolic links, the new
openssl can not find some certificates because the links of those certificates
were created by using old hash algorithm, which causes some tests failed.

This patch gives a way to find a certificate according to its hash by using both
new algorithm and old algorithm.

crbug.com/111045 is used to track this issue.

This patch is taken from the Chromium project.
openssl: fix uninitialized memory access
ASN1_STRING_to_UTF8() passes an ASN1_STRING to ASN1_STRING_set() but
forgot to initialize the `length` field.

Fixes the following valgrind error:

  $ valgrind -q --track-origins=yes --num-callers=19 \
      out/Debug/node test/simple/test-tls-client-abort.js
  ==2690== Conditional jump or move depends on uninitialised value(s)
  ==2690==    at 0x784B69: ASN1_STRING_set (asn1_lib.c:382)
  ==2690==    by 0x809564: ASN1_mbstring_ncopy (a_mbstr.c:204)
  ==2690==    by 0x8090F0: ASN1_mbstring_copy (a_mbstr.c:86)
  ==2690==    by 0x782F1F: ASN1_STRING_to_UTF8 (a_strex.c:570)
  ==2690==    by 0x78F090: asn1_string_canon (x_name.c:409)
  ==2690==    by 0x78EF17: x509_name_canon (x_name.c:354)
  ==2690==    by 0x78EA7D: x509_name_ex_d2i (x_name.c:210)
  ==2690==    by 0x788058: ASN1_item_ex_d2i (tasn_dec.c:239)
  ==2690==    by 0x7890D4: asn1_template_noexp_d2i (tasn_dec.c:746)
  ==2690==    by 0x788CB6: asn1_template_ex_d2i (tasn_dec.c:607)
  ==2690==    by 0x78877A: ASN1_item_ex_d2i (tasn_dec.c:448)
  ==2690==    by 0x7890D4: asn1_template_noexp_d2i (tasn_dec.c:746)
  ==2690==    by 0x788CB6: asn1_template_ex_d2i (tasn_dec.c:607)
  ==2690==    by 0x78877A: ASN1_item_ex_d2i (tasn_dec.c:448)
  ==2690==    by 0x787C93: ASN1_item_d2i (tasn_dec.c:136)
  ==2690==    by 0x78F5E4: d2i_X509 (x_x509.c:141)
  ==2690==    by 0x7C9B91: PEM_ASN1_read_bio (pem_oth.c:81)
  ==2690==    by 0x7CA506: PEM_read_bio_X509 (pem_x509.c:67)
  ==2690==    by 0x703C9A: node::crypto::SecureContext::AddRootCerts(v8::Arguments const&) (node_crypto.cc:497)
  ==2690==  Uninitialised value was created by a stack allocation
  ==2690==    at 0x782E89: ASN1_STRING_to_UTF8 (a_strex.c:560)
openssl: use dummy OPENSSL_cpuid_setup function
Use a empty implementation for function OPENSSL_cpuid_setup to resolve link
error. We should figure out how to geenrate platform specific implementation
of OPENSSL_cpuid_setup by leveraging crypto/*cpuid.pl.

This patch is taken from Chromium.
openssl: replace symlinks by #include shims
Git for Windows can't create symlinks. This works too.
openssl: remove obsolete patch files
These patches were provided by Android and Chromium. In this form they
are not useful. The ones that we need are landed as separate commits.

As of openssl 1.0.1c, three of them made it upstream:
  * npn.patch (Next Protocol Negotiation support)
  * tls_exporter.patch (RFC 5705 Keying Material Exporters for TLS)
  * openssl_no_dtls1.patch (minor bugfix)
@piscisaureus

This comment has been minimized.

Copy link
Member Author

piscisaureus commented Sep 12, 2012

@bnoordhuis I removed all obsolete patches. I think this is good to go for now.

openssl: disable harmless compiler warnings
Compile with -Wno-missing-field-initializers and -Wno-old-style-declaration.
The warnings are harmless but they clutter the build output a great deal.
@bnoordhuis

This comment has been minimized.

Copy link
Member

bnoordhuis commented Sep 12, 2012

Yep, looks like it's good to go. @TooTallNate: did you get a chance to test ARM?

@piscisaureus

This comment has been minimized.

Copy link
Member Author

piscisaureus commented Sep 12, 2012

@bnoordhuis

This effectively reverts an earlier commit of yours that deletes all apps and tests. The reasons that you mentioned were symlink problems on windows (I fixed that with c4b9be7) and the tarball size. Personally I don't like pruning these folders because I can no longer run the openssl tests.

If tarball size is a concern then I can update the makefile to leave these folders out of the tarball. Opinions?

@bnoordhuis

This comment has been minimized.

Copy link
Member

bnoordhuis commented Sep 12, 2012

If tarball size is a concern then I can update the makefile to leave these folders out of the tarball. Opinions?

Sounds like a good idea but don't waste too much time on it, the apps are a few 100K total.

@piscisaureus piscisaureus merged commit d3fa0dc into master Sep 12, 2012

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.